Question regarding suspicious PHP
Posted: 21 Dec 2022, 21:26
Hi guys.
I saw your post viewtopic.php?t=2985 regarding blocking suspicious PHP files, but I have questions regarding this...
I receive batch of emails like this from time to time:
Scanning web upload script file... Time : Wed, 21 Dec 2022 13:36:03 -0500 Web referer URL : www.google.com Local IP : 192.XXX.XXX.XXX Web upload script user : mywebsite
(1008) Web upload script owner: mywebsite (1008) Web upload script path : /home/mywebsite/public_html/wp-admin/admin-ajax.php Web upload script URL : ....ca/wp-admin/admin-ajax.php?action=uploadFontIcon Remote IP : 172.71.95.13 Deleted : No Quarantined
: Yes [/home/mywebsite/.quarantine/20221221-133602-Y6NSEvZMj1ODjbhUdUZ3ggAAACM-file-QG4hkN.1671647763_1]
or
Scanning web upload script file... Time : Wed, 21 Dec 2022 13:36:18 -0500 Web referer URL : www.google.com Local IP : 192.XXX.XXX.XXX Web upload script user : mywebsite
(1008) Web upload script owner: () Web upload script path : /home/mywebsite/public_html/wp-content/plugins/divi-contact-extended Web upload script URL : ....ca/wp-content/plugins/divi-contact-extended/includes/upload.php Remote IP : 172.71.98.197
Deleted : No Quarantined : Yes [/home/mywebsite/.quarantine/20221221-133617-Y6NSIT7nWVx48U2q_vD8NgAAAAY-file-fTQChE.1671647778_1] NOTE: [/home/mywebsite/public_html/wp-content/plugins/divi-contact-extended] does not exist on this server. However, ModSecurity
is still triggering cxs to scan the attempted uploading of potentially malicious data
My questions are:
- For the first example, why is my WordPress allow someone to upload a file using the "admin-ajax.php" located inside the /wp-admin/ ? Shouldn't he be blocked and asked a password before being able to access "http://www.cglmicro.ca/wp-admin/admin-a ... adFontIcon" ? Does it mean he has an admin access of some kind in my WordPress ?
- For the second example, I can see I don't have the mentioned plugin "/public_html/wp-content/plugins/divi-contact-extended", so the hacker can't exploit that plugins to gain access to my site, and the "web upload script owner" is empty. Is it normal that an hacker can try many URL to see if I have a vuln without being blocked ?
- What should I do to prevent anyone to upload PHP files, except for admin users that are logged in WordPress ?
Thank you.
I saw your post viewtopic.php?t=2985 regarding blocking suspicious PHP files, but I have questions regarding this...
I receive batch of emails like this from time to time:
Scanning web upload script file... Time : Wed, 21 Dec 2022 13:36:03 -0500 Web referer URL : www.google.com Local IP : 192.XXX.XXX.XXX Web upload script user : mywebsite
(1008) Web upload script owner: mywebsite (1008) Web upload script path : /home/mywebsite/public_html/wp-admin/admin-ajax.php Web upload script URL : ....ca/wp-admin/admin-ajax.php?action=uploadFontIcon Remote IP : 172.71.95.13 Deleted : No Quarantined
: Yes [/home/mywebsite/.quarantine/20221221-133602-Y6NSEvZMj1ODjbhUdUZ3ggAAACM-file-QG4hkN.1671647763_1]
or
Scanning web upload script file... Time : Wed, 21 Dec 2022 13:36:18 -0500 Web referer URL : www.google.com Local IP : 192.XXX.XXX.XXX Web upload script user : mywebsite
(1008) Web upload script owner: () Web upload script path : /home/mywebsite/public_html/wp-content/plugins/divi-contact-extended Web upload script URL : ....ca/wp-content/plugins/divi-contact-extended/includes/upload.php Remote IP : 172.71.98.197
Deleted : No Quarantined : Yes [/home/mywebsite/.quarantine/20221221-133617-Y6NSIT7nWVx48U2q_vD8NgAAAAY-file-fTQChE.1671647778_1] NOTE: [/home/mywebsite/public_html/wp-content/plugins/divi-contact-extended] does not exist on this server. However, ModSecurity
is still triggering cxs to scan the attempted uploading of potentially malicious data
My questions are:
- For the first example, why is my WordPress allow someone to upload a file using the "admin-ajax.php" located inside the /wp-admin/ ? Shouldn't he be blocked and asked a password before being able to access "http://www.cglmicro.ca/wp-admin/admin-a ... adFontIcon" ? Does it mean he has an admin access of some kind in my WordPress ?
- For the second example, I can see I don't have the mentioned plugin "/public_html/wp-content/plugins/divi-contact-extended", so the hacker can't exploit that plugins to gain access to my site, and the "web upload script owner" is empty. Is it normal that an hacker can try many URL to see if I have a vuln without being blocked ?
- What should I do to prevent anyone to upload PHP files, except for admin users that are logged in WordPress ?
Thank you.